In a much-anticipated court ruling, a Minnesota federal judge said Tuesday that Target Corp. had a duty to protect debit and credit card information from cyberthieves.

U.S. District Judge Paul Magnuson rejected Target's attempt to dismiss claims filed by a group of financial institutions seeking damages related to the retailer's data breach in late 2013, court documents said.

The judge ruled that the plaintiffs, which include the $282 million CSE Federal Credit Union of Lake Charles, La., have a plausible case for negligence because Target played a key role in allowing cyberthieves to hack into computer systems and obtain card data and possibly personal information of card holders, the documents said.

Magnuson agreed to allow three of four claims made by plaintiffs to move forward, but dismissed one count that claimed negligent misrepresentation by omission, which was related to Target's security system, the documents said.

The existing claims allege negligence, failure to provide sufficient security and violations of Minnesota's Plastic Security Card Act, the documents said.

“Plaintiffs have plausibly alleged that Target's actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers' attack began – caused foreseeable harm to plaintiffs,” Magnuson wrote in his decision. “Plaintiffs have also plausibly alleged that Target's conduct both caused and exacerbated the harm they suffered.”

The judge's ruling will enable the five lead plaintiffs, CSEFCU and four banks, to continue on their path of seeking class-action status on behalf of lenders nationwide, the documents said.

The much-anticipated ruling was praised by attorneys representing the credit union and banks.

“We are pleased by the order issued by the court yesterday,” said attorney Bryan Bleichner, a partner with the Minneapolis-based law firm, Chestnut Cambronne, which is part of the legal team representing the plaintiffs. “It was a very good decision for all financial institutions affected by the Target data breach and a positive step forward as we seek to recover the economic losses suffered by financial institutions as a result of the breach.”

Following the Target breach in 2013, the Minneapolis-based retailer faced a storm of lawsuits.

The $220 million Alabama State Employees Credit Union of Montgomery, Ala., was the first financial institution to sue the retailer. Other cooperatives, such as the $38 million First Choice Federal Credit Union of New Castle, Penn., have also joined in litigation across the country aimed at giant retailers such as Target and Home Depot.

The courts have consolidated all the federal cases into two lawsuits, one involving financial institutions and the other including consumers.

The financial institutions are seeking millions in damages to recover costs related to the breach, including issuing new credit and debit cards, according to court records.

In its motion seeking dismissal, Target said the affected credit unions and banks were sophisticated parties that lacked the close ties to the retailer necessary to support the legal claims.

Target also asked Magnuson to dismiss a related class-action lawsuit filed by consumers, according to national media.

More than 40 million credit cards were compromised in the breach and more than 100 million people may have had personal information, such as email addresses and phone numbers, stolen as a result of the incident, according to national media reports.

Target said it does not comment on pending litigation.

Instant Insights /

Target Had Duty to Protect Data: Judge

Related Stories

Recommended For You